Terms of Service & Privacy Policy
Version 1.0 - Effective January 25, 2026
1. Introduction
Welcome to the START (Shelford Advanced Robotic Training) Programme Training Log. This document outlines our Terms of Service and Privacy Policy in compliance with the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018.
2. Data We Collect
2.1 Personal Information
- Name and email address
- Role (trainee or supervisor)
- Hospital and training programme affiliation
2.2 Training Data
- Robotic surgery training session records
- Procedure logs and surgical case data
- Performance assessments and competency evaluations
- Skills progression tracking
- Supervisor feedback and notes
- START Programme phase completion records
2.3 Technical Data
- Login timestamps and access logs
- Browser type and IP address (for security)
3. How We Use Your Data
Your data is used exclusively for:
- Training Documentation: Recording your surgical training progression
- Competency Assessment: Evaluating skills development and readiness for independent practice
- Quality Assurance: Monitoring training programme effectiveness
- Patient Safety: Maintaining audit trails of surgeon training and competency
- Regulatory Compliance: Meeting requirements set by the General Medical Council (GMC), Royal College of Surgeons, and NHS trusts
- Programme Administration: Managing the START Programme across participating Shelford Group hospitals
4. Data Retention & Medical Record Requirements
4.1 Why Data Must Be Retained
Surgical training data serves several critical purposes that require long-term retention:
- Audit Trails: Healthcare regulators require complete records of surgeon training history
- Patient Safety: In the event of adverse outcomes, training records may be needed to establish competency and appropriate supervision
- Professional Revalidation: GMC revalidation processes may require access to historical training data
- Programme Accreditation: Training programmes must demonstrate trainee progression to maintain accreditation
- Legal Requirements: NHS litigation and investigation processes may require access to training records for up to 25 years
4.2 Retention Periods
- Training Session Data: Retained for 25 years in compliance with NHS records management guidelines
- Competency Assessments: Retained for 25 years
- Surgical Case Logs: Retained for 25 years
- Personal Contact Information: Retained while account is active, anonymized upon account closure
5. Your Rights Under GDPR
5.1 Right to Access
You can request a complete copy of all your personal data at any time via the Account Settings page.
5.2 Right to Rectification
You can update your personal information and correct errors in training records through the application.
5.3 Right to Data Portability
You can export your data in JSON or CSV format via Account Settings.
5.4 Right to Erasure ("Right to be Forgotten") - Important Limitations
While GDPR grants a right to erasure, this right is limited when data must be retained for compliance with legal obligations (GDPR Article 17(3)(b)).
When you request account closure:
- Personal contact information (name, email) will be anonymized
- Training data (session logs, assessments, surgical cases) will be retained but de-identified
- You will no longer be able to access the system
- Your data will be marked as "User [Anonymous ID]" in the system
5.5 Right to Object
You have the right to object to data processing. However, if you object to the collection of training data, you will be unable to participate in the START Programme, as this data collection is essential to the training programme's purpose.
6. Data Security
We protect your data using:
- Encryption in transit (HTTPS/TLS)
- Encrypted database storage on Microsoft Azure UK South datacenter
- Geo-redundant backups (35-day retention)
- Role-based access control
- Regular security audits
- ISO 27001 compliant cloud infrastructure
7. Data Sharing
Your data is shared only with:
- Your designated supervisors within the START Programme
- Programme administrators at participating Shelford Group hospitals
- Regulators (GMC, Royal College of Surgeons) if required by law
We will never sell your data or share it with third parties for marketing purposes.
8. Cookies and Tracking
This application uses only essential session cookies required for authentication. We do not use analytics, advertising, or tracking cookies.
9. Account Closure Process
If you wish to close your account:
- Navigate to Account Settings
- Request account closure
- Confirm that you understand training data will be retained but anonymized
- Your personal identifiers will be removed within 30 days
- Training records will remain in the system as "Anonymous User [ID]" for the required retention period
10. Changes to This Policy
We may update this policy to reflect changes in legal requirements or our practices. You will be notified of significant changes via email and required to accept the updated terms to continue using the service.
11. Children's Privacy
This service is intended for medical professionals aged 18 and over. We do not knowingly collect data from minors.
12. International Data Transfers
All data is stored within the United Kingdom (Microsoft Azure UK South region) and is not transferred outside the UK/EEA.
13. Contact & Data Protection Officer
Data Controller: The Shelford Group
Contact: For questions about your data or to exercise your rights, please contact your local START Programme coordinator
Complaints: If you are unhappy with how your data is handled, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): www.ico.org.uk
14. Acceptance
By clicking "I Accept" during signup, you confirm that you:
- Have read and understood this Terms of Service and Privacy Policy
- Consent to the collection and processing of your data as described
- Understand that training data must be retained for patient safety and regulatory compliance
- Acknowledge that account closure will anonymize but not delete training records
